[Webinar Transcription] Navigating the Cyber Landscape: Strategies and Capabilities of Iran, China, North Korea and Russia

March 28, 2024

The government, along with Law Enforcement, is heavily impacted by ever-evolving technology and there is a multitude of malicious actors conducting espionage, stealing data, attempting to infiltrate, and shut down systems critical to everyday life.

These malicious actors with a proven state-sponsored tie are often called Advanced Persistent Threats (APTs). The digital realm is heavily involved in geopolitical conflict, and its role and that of adversarial actors must be explored.

In this session, we will dive into the big 4 cyber adversaries:

Explain how cyber experts are trained
Explore the use of front companies and technology to online activities
Examine ties to their governments
Cover common offensive and defensive capabilities
Glimpse into the possible future with AI used in operations

For those that would rather read the presentation, we have transcribed it below.

NOTE: Some content has been edited for length and clarity.

Mark: My name is Mark Turnage, I’m the CEO and Co-Founder of DarkOwl and with me, I have Erin Brown, who’s our Director of Intelligence. We’re pleased that you joined us here this morning. I’m just going to make some introductory remarks, and we’re going to conduct this webinar as a sort of fireside chat between me and Erin and talk about four cyber countries – powerful cyber countries: Iran, North Korea, China, and Russia.

Just a couple of introductory remarks from me, we live in very interesting times. It’s a very famous Chinese curse and I think it’s fair to say that over the last several years, the world has become considerably more uncertain and more unstable. We have wars being waged in Ukraine, in the Middle East, we have a considerable amount of tension in East Asia, between China and Taiwan, and against that backdrop, there are a number of elections taking place this year around the world, including here in the United States, our presidential election. All that means that the cyber sphere has become even more important and more deserving of our attention as we think about that instability and how to better manage that instability. And against that background, four countries are continually mentioned: Iran, Russia, China, North Korea. Interestingly enough, two of those, China and Russia, are quite large countries and powerful in their own right. Two of them, North Korea and Iran, are cyber superpowers, in spite of being relatively small and in the case certainly of North Korea, having quite a small economy. So, we thought it would be useful to talk, to have a conversation about those four countries and talk about their cyber capabilities and how they use the cyber sphere, both for their own purposes and to sow instability and discord. So, with that, I’m going to just start asking Erin some questions.

What are the main cyber threats posed by these four countries?

Erin: There are a lot of different threats that they’re posing, and it really depends on what they’re trying to achieve. We see them conducting cyber espionage, we see intellectual property theft, attacks on infrastructure. It really depends on what their motivations are and they have many groups within their countries that are conducting these types of attacks – but most of them, all four of them, I would say, have a joint desire to advance their global influence. They all want to be the superpower of the world and they want to do that in both the digital and the physical world. We’re seeing that overlap, as you just mentioned in your introduction, as there’s more and more real-world conflicts happening. We’re seeing a huge cyber element to that. But then they do have their own distinct motivations as well in terms of what operations they’re conducting. North Korea, for example, we’ve seen them conducting a lot of attacks that lead to financial gain because they’re using those funds to finance other operations that they’re doing and things that they’re doing within the country. So, they all pose a huge amount of risk to both countries and organizations in terms of what they’re trying to achieve to advance their global power, basically.

And is it fair to say that of those four, North Korea is the most quote unquote, financially oriented in terms of their cyber activities? Or is the same true, say, of Russia?

I would say so. I think we know North Korea from a government perspective, is doing that financial motivation and gain. I think with Russia, especially and Iran, to a certain extent as well, we see that overlap and bleeding between who is the state-sanctioned, state-sponsored groups, and those actors that maybe the state is allowing them to operate. So obviously, you know, the ransomware gangs in Russia are making a huge amount of money off of corporations worldwide and there are suggestions that they’re at least allowed to conduct their activities by the Russian government. One could infer from that that the Russian government may be getting kickbacks from them and from that type of activity, but we don’t see necessarily the state-sponsored groups that are the military groups necessarily having that financial motivation and other countries. But Iran and Russia certainly have that criminal overlap.

Which brings us to the question of how these countries actually organize their cyber operations. You mentioned that some of them may or may not incorporate private actors in those operations, and others are more official. So, how do they organize their operations?

It’s quite a complex makeup across all the different countries and they all do it slightly differently. You do get those differences between what is state-sponsored, what is state-sanctioned, what is state-allowed. So, there are all of these distinctions within how you group them, but primarily, we see that the countries have military and civilian intelligence services. So, they’ll have military operators that are part of their armed forces that are going out and conducting these cyberattacks, and then you’ll also have intelligence agencies. So similar to how we have the CIA in the US, they have their equivalents that will also be conducting cyber operations on their behalf as well and depending on who’s conducting the attack, you’ll see different types of attacks and different victims as well in terms of what they’re trying to achieve.

But then we do also see civilians that are somewhat separated from the government being utilized. So, we do see a lot of front companies being used by these countries. This will be a seemingly legitimate company that is set up in country that has government backing behind it. That’s not necessarily obvious, so that they can have that air of conducting activity and not being linked to the government, even though they are. Then also we do see, as we just mentioned, with the financial motivation, we do see in especially North Korea, around countries that don’t have as much stability and financial security. We’ll see these actors that are doing a day job with the government and then in the evening, they’ll be using those skills that they’ve learned with the government to conduct cyber activities and criminal activities. So, it’s a murky infrastructure in terms of how these are set up but I would say is all of these countries do have set up groups and organizations that are there to conduct cyber espionage and cyberattacks on other countries.

Mark: This odd mixture of official and unofficial criminal gangs must make attribution really difficult when you’re looking at an activity, trying to attribute who the actor is who is behind the actual action.

Erin: Yeah, it’s incredibly difficult. And I would say it’s probably more difficult for people like ourselves that are outside of the government remit to identify that information because it’s very noisy in terms of what’s being conducted, who’s doing what attacks, and then things like the malware that they use. A lot of countries will use off the shelf malware, but lots of other groups use that as well. So, just because a malware is being used doesn’t mean that it’s attributed to one particular group. Even if that group invented it. For instance, Stuxnet is a good example of that – it was developed by the US and the Israelis, but it has been utilized far and wide by other nation-states, and by criminal actors since then. So, it’s really difficult to know who is conducting these activities and mistakes are made in terms of these attributions as well between different groups. Whenever we’re looking at this attribution, whenever we’re looking at this activity, the attacks that are happening, we’ll make assumptions about what we think that’s connected to you don’t really know unless you’re in those groups and being able to see that. So attribution is incredibly difficult and when we’re talking about APTs and we’re talking about nation-states, we’re talking about probably the most sophisticated cyber actors that are out there, that most of the time are trying very hard to obfuscate their activities and obfuscate who they are and who is conducting them. It’s a very tricky thing to be able to attribute that activity. So, one of the things I would say about it is it’s more about knowing what the techniques are than knowing who is doing it so that you can protect yourself from those techniques and those vulnerabilities within your organization. I guess some might say it doesn’t really matter who’s doing it when it comes down to attribution, it just matters that you stop it. So, it’s an interesting balance.

Mark: Yeah. Although, if you’re a foreign leader, say, the president of the United States, the Prime Minister of Great Britain, the President of France, and your country is in some fashion attacked by a cyber operator, attribution becomes important in terms of how you respond. So that’s a challenge I’m sure that many leaders face.

Let me switch gears a little bit and talk specifically about China. The Great Firewall of China – what’s the impact of that on both their capabilities and on the ability of outsiders to see what’s happening in China?

Erin: For those who don’t know, I’m sure most people do, but the Great Firewall is what we refer to as the operations that China put in place to silo their internet from the rest of the world. So, it means that most of their citizens aren’t able to access the internet in the same way that we do and they’re not allowed to access certain things. So, it means that the government can really lock down the messaging and the news that citizens are being able to access. And as part of that, they do also have their own apps and search engines and things like that. A lot of social media like Facebook and Instagram and WhatsApp can’t be accessed in China. Instead, they have WeChat and WeChen and Weibo and other ways that they’re, doing that. It always from the outside is seen as a way of controlling the citizens and the messaging that they’re getting and what they’re able to do, but it does also highlight the sophistication that the Chinese government have in terms of cyber activities, in terms of how they’re able to monitor their own citizens and lock down that information and how sophisticated their surveillance and censorship is. So, it really highlights some of the skills that they have. It’s the same cyber operators influencing the Great Firewall as conducting some of these attacks that are happening, and it shows how they want to have their world order and what some of their motivations are in terms of the cyber operations that they’re targeting.

It’s worth mentioning that they aren’t the only country that’s doing that. Russia has Runet – they are expanding and trying to lock down what their citizens are able to see. And Iran and North Korea have very similar methodologies in place. I would say with North Korea, we know even less about that, just because of the isolationist way that North Korea operates. It’s very hard to know how that functions but I think it just demonstrates the sophistication that they have and the abilities that they have of surveillance and censorship that they utilize outside of the firewall as well as inside it.

Mark: So, from an adversarial perspective, we’re in an environment where these four countries have unencumbered access to the world’s internet. It’s open. We’ve made it open deliberately, but we have very limited access, on a variable basis to their internal country networks and I would put, you would put China at the top of that at the top of that list.

Erin: Yeah, definitely. So, it’s very hard as analysts. Going back to that attribution point as well, to know what’s going on inside of that firewall because they’re locking down that information. What messages are they sharing? What is it that they’re putting out about adversaries when there is a campaign that is publicly reported or Chinese actors are indicted, which has happened several times? What is the messaging that they’re putting inside internally? And I think, with Russia, we’ve seen this with the Ukraine war and the messaging that they’ve put forward about Ukraine to their citizens in terms of “they’re saving the country, it’s not a war, it’s a defensive position,” like very different to what we’re seeing outside of, of that realm. So, it definitely impacts on that attribution and what we’re able to understand about what they’re doing. One thing I would mention, just as well, because we’re a dark web company, but this is one of the ways that Tor can be used in a very legitimate way. I think we tend to focus on the dark web being a bad thing for criminal activities, but it’s a way that a lot of citizens are in these countries that have lockdown internet, are able to access Western and outside media and this is the reason that a lot of social media companies will have mirrors on the dark web. X, formerly Twitter, has it, Facebook has it, some governments have websites on the dark web. So, people are able to access that information. It’s a useful way for people to be able to get that outside information as well.

Can you talk about some of the notable cyber campaigns that have been conducted by these four countries?

Sure. There are a lot, and as we’ve already covered attribution is tricky in terms of how we associate particular campaigns that we’re seeing to particular countries and the groups within them. China has had some very significant operations in recent years targeting a lot of countries in their region. We’ve seen them spying on Cambodia, the Philippines, South Korea, and they do this using phishing techniques to gain access. So, you know, they are using some of the same techniques that we’re seeing criminals using that we’re all warned about at our companies in terms of “don’t click on a link.” Those sophisticated users are using those methodologies as well and we have seen things like when they recently targeted Japan’s space agency and one of the things that China is well known for is targeting companies in stealing intellectual property, and then taking that information back and using it to develop their own technologies and issue patents on their technologies. So, that is a thing that they continue to do in terms of expanding their power and what they have access to. That’s something that we’ve seen China doing a lot of recently.

With Russia, probably the most significant one that is fairly recent was that they targeted Microsoft’s corporate systems. They targeted the executives and I believe the legal team and were able to access some emails and documents, and they did this again with fairly simple methodology. It was a password spray attack. So basically, they just took lots of different ways that people might use a password and put it across all of their systems. This really highlights why you need to have good password hygiene across your corporation, and governments everywhere because that is a way, not just with nation-states, but across the whole adversarial cyber field that we’re seeing people get access is through credentials. So, it’s a really important thing to identify. And then I think you can’t talk about Russia’s activities without mentioning the war in Ukraine, because there definitely is a cyber war going on as well as the on the ground war. One of the things we’ve seen fairly recently was they hacked into webcams in Kiev, so that they could look at what air defenses were being used in the city and they did that ahead of a missile attack. They wanted to see where their missiles would be defended and where they wouldn’t. That is a real-world example of how the cyber and the real world are linked together and they’re utilizing cyber tools to help them with military campaigns.

In terms of Iran, there is a group known as, Mint Sandstorm. So again, using phishing techniques, but social engineering as well. This is something we see a lot with Iranian actors – utilizing social media and fake social media accounts to lure people into giving them what they want. We saw them on a large recruitment and job networking sites that were creating these accounts, creating several levels of personas that knew each other to make them look as, as real as possible and then we’re using that to identify people that they wanted to target as part of the Israel-Gaza conflict. They were using this as an espionage dash intelligence gathering campaign. With these campaigns, it’s not just about disruptive action or getting access, sometimes it’s just understanding things that are going on to help them with other areas.

Then North Korea, again, is a trickier one just because of their isolationism and the groups that we see. Probably the most prominent group that’s been mentioned in recent years, and they have been around for a long time now is Lazarus. They have been involved in significant financial thefts as well as espionage. So, a lot of cryptocurrency, ransomware attacks, etc. They were responsible for the Sony hack way back when, I believe it was 2016, but as recently as this year, they’re still operating. They were seen conducting cyber espionage campaigns, targeting defense technologies, again creating fake social media profiles, and then deploying malware once they’ve got access to individuals. So, you know, there’s a range of activities that are going on and that very much is a high-level overview of some of the activities. There’s probably a lot more going on that we don’t know about, and a lot more going on that we do know about, but it hopefully gives you a sense of the types of campaigns that they’re conducting and also the variety of people that they’re targeting. I think you said earlier about governments obviously care about attribution, and they should, and their governments hopefully are better at attribution, but I think there’s an old world view that nation-states and spying and espionage is a thing between governments and these days with cyber, it just isn’t like everyone is vulnerable to attacks. Everyone has information worth stealing, so everyone has to be vigilant.

Mark: It’s notable that in your answer, in talking about the various cyber campaigns conducted by these countries that many, if not most of them, are using basic password access, phishing, social engineering, as opposed to, Zero-day exploits that they have access to on an exclusive basis. That’s quite notable.

Erin: Zero-day exploits are really hard to develop and they’re really expensive to develop. If you don’t need them, because you can get in by a weak link of a person clicking on a link or believing a phishing email, then then why waste your time and infrastructure? I would say they still definitely do utilize those Zero-day attacks and that is something that’s developed, especially Russia and China, but those are the ones that it’s harder to hear about, right? Those are the ones that they don’t want people to know what that capability is and who they’re targeting. And they would save that for their most important victims.

Mark: We, in the cyber security industry, live in evolving times. There’s a lot of changes in technologies and I would include in that, by the way, artificial intelligence, the rise of artificial intelligence. How does that affect how these four countries are both organizing themselves and conducting their cyber operations?

Erin: I think in the same way that the rest of us are, right, they’re still learning. They’re still coming to grips with these new technologies and how they can utilize them and how they’re going to work, but they definitely are. I think they definitely want to utilize them and there is a growing sophistication. We have seen particular countries trying to target AI companies. I think there was an article, a month or two ago about OpenAI reporting, I think it was 4 or 5 specific APT actors that they had kicked off of their site and they were using AI to do the things that a lot of other people are doing, like help them with their work, but also create phishing emails and ask it questions to do research for them about the capabilities that other countries and their victims have. So, we know that they’re using AI, we know that that’s happening.

There are also, I believe it was China, I’m trying to remember – it was either China or North Korea, but they’re actually investing in companies that are developing AI in certain areas of the world so that they can own that technology for themselves as well. What I would say with AI and those technologies is the US and Europe and the likes of OpenAI, oh, I can’t their name is escaping me. But, you know, the prominent AI providers at the moment, they are far and above, ahead of Russia, and China at the moment. But I was actually at a talk with someone from those companies a couple of weeks ago, and they were saying, we’re only a couple of months ahead and they are going to catch up, like it is going to happen. So, it’s something that everyone needs to be aware of and needs to be vigilant about. I think the takeaway point from that is that they are using it. They are keeping an eye on emerging technologies. They themselves as well have to constantly evolve to remain relevant and successful because people’s defense gets better all the time. So, you need to constantly evolve to get around those defenses and those ways of operating. It’s definitely something that they focus on.

Mark: You mentioned earlier, by the way we’re a darknet company and we cover the darknets, and we cover darknet adjacent sites. You mentioned earlier in one of your answers the use of the darknet by citizens in countries which are behind firewalls or where they have limited access to the outside internet. But how do the countries themselves use darknet and these other online platforms in their own operations?

Erin: Yeah, that’s a difficult one and it’s a bit murky. Again, going back to that attribution problem and especially on the dark web where everyone is trying to stay as anonymous as possible to know who is doing what. We know that they definitely do utilize it. We know that there are probably actors on there that are sowing disinformation and details on the dark web and sharing them. But, you know, one of the things that we’ve seen more in recent years and is a bit more obvious is hacktivist groups and criminal groups that are associated or in somewhat sanctioned by governments. So, we’ve seen this with Killnet in Russia and a handful of other groups that came out in support of Russia when the invasion of Ukraine happened, and they are very active on things like Telegram. They will say who they’re targeting. They will say why they’re targeting them. They’re often going after NATO participants. They will show evidence of defacements or DDoS attacks. So, they’re very vocal and they want people to know what they’re doing, and they do have those links or at least a nationalist fervor that is very clear. And we see that other groups linked to North Korea and Iran also have telegram channels and other channels that are very vocal. One of the interesting things that we’ve seen, though, that is less how they’re operating but gives us more insight into how they’re operating, is we have seen a lot of data leaks relating to some of these countries and their governments. Everyone’s falling victim to data leaks in recent years. It’s big business on the dark web – selling that data, but there’s been a huge increase in the last probably 6 to 9 months, especially for China in terms of government data being leaked. There was a huge leak of the Shanghai police late last year that was assessed to be one of the biggest breaches ever, data breaches ever, and it had a huge amount of information about their law enforcement, but also their tools that they were using to target their citizens. So, it gave security analysts insight into what they’re doing that the governments wouldn’t necessarily want them to have and there was another recent one as well on a GitHub repository. So slightly not the dark web, but where it was one of the front companies that was conducting cyberattacks on behalf of China. All of their information was released, and we’ve seen large scale releases of Russian data, Israeli data as well, talking about those conflicts. There is information like that and while we’re all looking at that dark web data and saying, oh, this is giving us insights into these countries that we don’t know as much about. You can believe that they are also doing the same. So, when there are leaks of US, UK, European data, those countries are definitely going to have individuals that are on those dark websites collecting that data and reviewing it as well.

What do we do about this? It’s not like these four countries are going to wake up tomorrow and become parliamentary democracies and decide to conform to rules of international law. So, what do we do? What do we do about this?

Erin: I think it’s points we’ve already mentioned. You just have to be vigilant, and you have to have as much security as possible. I think there’s education that needs to happen to people about how you should operate, as you said, like these phishing techniques, password spray attacks, things like that. They’re fairly simple and they’re things that we can educate people about and I think we’ve been too focused in recent years on; okay, people know that if you get a bad email that you shouldn’t click on it, hopefully most of the time, but we’re seeing more and more smishing attacks, so text messaging and with the advent of AI, you can develop someone’s voice and get them to say anything you want them to say. So, you can get like a voicemail from your boss telling you to send you money or to click on a link. Things are becoming way more sophisticated in terms of how attacks can be conducted and therefore, our education to people about how to combat those attacks needs to be more sophisticated and I think it’s just staying up to date with what these threat actors are doing and this isn’t just the nation-states, it’s across the board, like what tools and techniques are being utilized, and are your systems set up to protect against those vulnerabilities? So I think it’s trying to be as proactive as possible and not just reacting when attacks happen.